Answer: Assign the bigquery.dataViewer role to em-databases-app and appropriate roles to web-applications.

Option A is incorrect because IAM roles are assigned to users and service accounts, not projects. Granting the project owner role to web-applications does not ensure the service account in web-applications can access the BigQuery dataset in em-databases-app. The project owner role only allows managing the project, not accessing resources in other projects. Option B is incorrect because the project owner role is too broad. It grants full control over both projects but does not specifically allow the service account in web-applications to access the BigQuery dataset in em-databases-app. Option C is incorrect because assigning the project owner role to em-databases-app and the bigquery.dataViewer role to web-applications does not grant the service account in web-applications access to the dataset in em-databases-app. The bigquery.dataViewer role only permits viewing data in BigQuery, not accessing datasets in other projects. Option D is correct because assigning the bigquery.dataViewer role to em-databases-app ensures the service account there can view the dataset. Granting appropriate roles to web-applications ensures its service account can also access the dataset, adhering to Google's principle of least privilege by providing only necessary read access. Reference: [Google Cloud BigQuery Access Control Examples](https://cloud.google.com/bigquery/docs/access-control-examples#read_access_to_data_in_a_different_project)

Author: LeetQuiz Editorial Team